- Researchers find that 65% of Forbes top 50 AI companies are leaking secrets
- These come in the form of tokens, API keys and sensitive credentials
- Wiz used a ‘Depth, Perimeter and Coverage’ approach to spotting leaks
AI companies have had a pretty rocky history with cybersecurity and data protection, and new research from Wiz shows that this still hasn’t improved.
Looking at the Forbes top 50 leading AI companies as a benchmark, the experts revealed that nearly two-thirds (65%) of these top AI companies leaked confirmed secrets on GitHub.
These tokens, sensitive credentials, and API keys were found buried deep in places most researchers and scanners would never encounter, such as deleted forks, developer repos, and master points.
No answer
Wiz says it used a ‘Depth, Perimeter and Coverage’ framework to approach these GitHub repositories, enabling them to access and search for new sources, to go beyond the ‘secrets on the surface’ for a deep scan that reveals more than traditional searches.
The ‘perimeter’ aspect of their research involved extending discovery to contributors and organization members, who can often ‘inadvertently check company-related secrets into their own public archives and key points’.
Coverage concerns new secret types often missed by traditional scanners, such as Tavily, Langchain, Cohere or Pinecone.
Interestingly, when the researchers revealed these leaks to the targets, almost half of these messages either failed to reach them, received no response due to a lack of official notification channel, or the company failed to respond or fix the problem.
The researchers recommend implementing covert scanning immediately as a non-negotiable defense – regardless of the size of your organization.
They also recommend prioritizing detection for their own secret types; ‘ too many shops leak their own API keys while “eating their dog food.” If your secret format is new, proactively engage vendors and the open source community to add support.’
Finally, they advise companies to prepare a dedicated channel for publication. Disclosure protocol is an important security measure that can give your company a head start on any vulnerabilities or leaks, so these channels can be an important source of information sharing.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
The best protection against identity theft for all budgets
